Fixed CVE-2018-10196

This commit is contained in:
Jaroslav Škarvada 2018-05-17 13:26:04 +02:00
parent 5867985c23
commit 49e23d16a2
2 changed files with 23 additions and 1 deletions

View File

@ -0,0 +1,16 @@
diff --git a/lib/dotgen/conc.c b/lib/dotgen/conc.c
--- a/lib/dotgen/conc.c
+++ b/lib/dotgen/conc.c
@@ -159,7 +159,11 @@ static void rebuild_vlists(graph_t * g)
for (r = GD_minrank(g); r <= GD_maxrank(g); r++) {
lead = GD_rankleader(g)[r];
- if (GD_rank(dot_root(g))[r].v[ND_order(lead)] != lead) {
+ if (lead == NULL) {
+ agerr(AGERR, "rebuiltd_vlists: lead is null for rank %d\n", r);
+ longjmp(jbuf, 1);
+ }
+ else if (GD_rank(dot_root(g))[r].v[ND_order(lead)] != lead) {
agerr(AGERR, "rebuiltd_vlists: rank lead %s not in order %d of rank %d\n",
agnameof(lead), ND_order(lead), r);
longjmp(jbuf, 1);

View File

@ -55,12 +55,14 @@
Name: graphviz Name: graphviz
Summary: Graph Visualization Tools Summary: Graph Visualization Tools
Version: 2.40.1 Version: 2.40.1
Release: 25%{?dist} Release: 26%{?dist}
License: EPL License: EPL
URL: http://www.graphviz.org/ URL: http://www.graphviz.org/
Source0: http://www.graphviz.org/pub/graphviz/ARCHIVE/%{name}-%{version}.tar.gz Source0: http://www.graphviz.org/pub/graphviz/ARCHIVE/%{name}-%{version}.tar.gz
Patch0: graphviz-2.40.1-visio.patch Patch0: graphviz-2.40.1-visio.patch
Patch1: graphviz-2.40.1-python3.patch Patch1: graphviz-2.40.1-python3.patch
# https://gitlab.com/graphviz/graphviz/issues/1367
Patch2: graphviz-2.40.1-CVE-2018-10196.patch
BuildRequires: zlib-devel, libpng-devel, libjpeg-devel, expat-devel, freetype-devel >= 2 BuildRequires: zlib-devel, libpng-devel, libjpeg-devel, expat-devel, freetype-devel >= 2
BuildRequires: ksh, bison, m4, flex, tk-devel, tcl-devel >= 8.3, swig BuildRequires: ksh, bison, m4, flex, tk-devel, tcl-devel >= 8.3, swig
BuildRequires: fontconfig-devel, libtool-ltdl-devel, ruby-devel, ruby, guile-devel BuildRequires: fontconfig-devel, libtool-ltdl-devel, ruby-devel, ruby, guile-devel
@ -276,6 +278,7 @@ Various tcl packages (extensions) for the graphviz tools.
%setup -q %setup -q
%patch0 -p1 -b .visio %patch0 -p1 -b .visio
%patch1 -p1 -b .python3 %patch1 -p1 -b .python3
%patch2 -p1 -b .CVE-2018-10196
# Attempt to fix rpmlint warnings about executable sources # Attempt to fix rpmlint warnings about executable sources
find -type f -regex '.*\.\(c\|h\)$' -exec chmod a-x {} ';' find -type f -regex '.*\.\(c\|h\)$' -exec chmod a-x {} ';'
@ -591,6 +594,9 @@ php --no-php-ini \
%{_mandir}/man3/*.3tcl* %{_mandir}/man3/*.3tcl*
%changelog %changelog
* Thu May 17 2018 Jaroslav Škarvada <jskarvad@redhat.com> - 2.40.1-26
- Fixed CVE-2018-10196
* Thu May 3 2018 Jaroslav Škarvada <jskarvad@redhat.com> - 2.40.1-25 * Thu May 3 2018 Jaroslav Škarvada <jskarvad@redhat.com> - 2.40.1-25
- Made python2 package optional - Made python2 package optional